Mini Shai-Hulud Worm Deploys SLSA-Attested Malware Across Major Package Ecosystems

TeamPCP has executed a sophisticated supply chain attack targeting multiple high-profile package repositories, marking the first documented case of an npm worm that produces validly attested malicious packages at SLSA Build Level 3. The campaign, tracked as Mini Shai-Hulud, compromised 42 packages across the TanStack ecosystem plus packages from Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attack exploits GitHub Actions OIDC token hijacking and trusted publishing mechanisms to bypass traditional authentication entirely.

Attack Vector: OIDC Token Hijacking Through GitHub Actions

The TanStack compromise (CVE-2026-45321, CVSS 9.6) leverages a chained GitHub Actions attack involving three critical components: pull_request_target triggers, GitHub Actions cache poisoning, and runtime memory extraction of OIDC tokens from the GitHub Actions runner process. Attackers staged malicious payloads in a GitHub fork via orphaned commits, then hijacked the project's legitimate TanStack/router workflow to publish compromised versions with valid SLSA provenance.

The attack abuses trusted publishing by allowing attacker-controlled code running within a workflow to leverage OIDC permissions to mint short-lived publish tokens during the build. Because TanStack's OIDC trusted publisher configuration granted trust at the repository level rather than being scoped to a specific protected branch and workflow file, the workflow run triggered by the orphaned commit successfully requested valid npm publish tokens. No npm tokens were stolen directly, and the npm publish workflow itself remained uncompromised.

Self-Propagating Worm Mechanics

The worm demonstrates advanced propagation capabilities by locating publishable npm tokens with bypass_2fa set to true, enumerating every package published by the same maintainer, and exchanging GitHub OIDC tokens for per-package publish tokens. This allows the malware to spread laterally across entire package ecosystems without traditional credential theft. The worm has already spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers, demonstrating its autonomous propagation capabilities.

The affected npm packages contain an obfuscated JavaScript file (router_init.js) that profiles the execution environment before launching a comprehensive credential stealer. The malware targets cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems including GitHub Actions. Stolen data is exfiltrated to filev2.getsession[.]org, leveraging Session Protocol infrastructure to evade detection since the domain belongs to a legitimate decentralized messaging service unlikely to be blocked in enterprise environments.

Persistence and Fallback Mechanisms

The malware establishes multiple persistence mechanisms to survive system reboots. It installs hooks in Claude Code and Microsoft Visual Studio Code that re-execute the stealer on every IDE launch. A gh-token-monitor service continuously monitors and re-exfiltrates GitHub tokens. The malware also injects two malicious GitHub Actions workflows that serialize repository secrets into JSON objects and upload data to api.masscan[.]cloud.

As a fallback exfiltration channel, encrypted data is committed to attacker-controlled repositories using the author name claude@users.noreply.github.com via the GitHub GraphQL API with stolen GitHub tokens. This dual-channel approach ensures data exfiltration even if primary infrastructure is detected and blocked.

Destructive Wiper Component: The Dead Man's Switch

The most aggressive evolution in this campaign is the introduction of a dead man's switch that functions as wiper malware. The mechanism uses a shell script that polls api.github.com/user every 60 seconds to verify that an npm token created by the malware remains active. The token carries the description 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.' If a developer revokes the token from their npm dashboard, the script triggers a destructive routine executing 'rm -rf ~/' on the infected machine, deleting the user's entire home directory.

Attack Variants Across Ecosystems

TeamPCP deployed different infection strategies across target ecosystems. The TanStack cluster includes a JavaScript file within the package tarball and adds an optional dependency pointing to a GitHub-hosted package. This GitHub dependency contains a prepare lifecycle hook that executes the JavaScript payload via the Bun runtime. The Mistral AI packages follow an earlier approach, replacing package.json contents with a preinstall hook to invoke 'node setup.mjs,' which downloads Bun and runs the same JavaScript malware. This diversification demonstrates TeamPCP's adaptability and makes detection more challenging.

Detection and Response Priorities

Organizations must immediately audit all dependencies from affected vendors: TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. Check for the presence of router_init.js files, unexpected Bun runtime installations, and suspicious preinstall or prepare hooks in package.json. Network monitoring should flag connections to filev2.getsession[.]org and api.masscan[.]cloud. Monitor GitHub repositories for commits from claude@users.noreply.github.com.

• Audit OIDC trusted publisher configurations to scope trust to specific protected branches and workflow files
• Review npm tokens for bypass_2fa settings and minimize tokens with this permission
• Implement GitHub Actions workflow monitoring for pull_request_target triggers from untrusted sources
• Inspect IDE extensions and startup scripts in Claude Code and VS Code for malicious hooks
• Check for gh-token-monitor services running on developer workstations
• Review GitHub Actions workflows for unauthorized secret serialization steps
• Isolate potentially compromised systems before token revocation to avoid triggering wiper functionality

Strategic Implications

This campaign represents a fundamental shift in supply chain attacks from isolated package compromise to identity-driven propagation through trusted CI/CD infrastructure. Once attackers gain access to publishing workflows and pipeline identities, the software delivery process itself becomes the distribution mechanism. The production of validly attested malicious packages at SLSA Build Level 3 undermines trust in software supply chain security frameworks designed specifically to prevent such attacks.

TeamPCP's growing aggression—evidenced by the wiper component and increasingly sophisticated evasion techniques—indicates that developers and their workstations have become high-value targets. The challenge for defenders is that much of this activity appears legitimate on the surface, leveraging trusted infrastructure and valid credentials. Organizations must move beyond signature-based detection to behavioral analysis of CI/CD pipeline activity and implement zero-trust principles even for supposedly trusted publishing mechanisms. The era of implicit trust in package provenance is over.